patch to allow loading PKCS #11 URLs
mdounin at mdounin.ru
Mon Jun 22 01:11:32 UTC 2015
On Fri, Jun 19, 2015 at 04:39:48PM +0200, Nikos Mavrogiannopoulos wrote:
> On Fri, 2015-06-19 at 17:07 +0300, Maxim Dounin wrote:
> > Have you tried
> > ssl_certificate_key
> > "engine:pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin-value=1234";
> > instead?
> > I don't see how it's different from the code you propose.
> Yes, I've tried it. It would be specified as:
> But doesn't work, because it doesn't initialize the pkcs11 engine.
Shouldn't initialization of an engine be added to "engine:..."
(Just a side note: your patch has ENGINE_init() but no
ENGINE_finish(). It looks like a leak.)
> Furthermore, the "engine:pkcs11:pkcs11:" approach defeats the purpose
> of PKCS #11 URLs which is to use the same string to identify the same
> keys on all applications.
The goal of the "engine:..." syntax is to allow nginx to load keys
from arbitrary engines. With this approach you can use PKCS #11
URLs as identifiers for engines which support them - though you
have to write a prefix "engine:<name>:" to instruct nginx to load
a key from a named engine rather than a file. So I don't think
that the current approach "defeats the purpose" somehow - it's
just a bit more chatty than it can be assuming nginx knows for
sure that the only engine useable for PKCS #11 URLs is pkcs11.
More information about the nginx-devel